New to WP. I soon realized there are some files that need to be writable by the web server, otherwise various operations fail. Moreover, the lists seem to be different for different tasks. Not sure I'm in love with the concept, but okay, I'll work with it.

The trouble is, I can't figure out a simple way to determine which files / folders could be written to by the web server during the course of various actions. The documentation I've found seems either geared towards less technically-abled users ("just enable everything!") or focused on very narrow aspects.

Does anybody have the minimal lists of writable files for various operations, such as: uploading content, installing a plugin or a theme, upgrading WP (this one is easy: everything needs to be writable), etc.

1 Answer
1

The short answer is that you're correct... You don't want the web server (or web user) accounts to have full write access to your WordPress installation. Your user account, however, will need write permissions for the entire application because many of the WordPress features (such as automatic updates among others) require access to the core files.

Some of WordPress' cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment.

It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.

Here is one possible permission scheme.

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver.